amb at xara.net
Sat Aug 16 09:01:28 UTC 1997
danny at genuity.net said:
> Aug 15 20:04:45.087 MST: %SEC-6-IPACCESSLOGDP: list 199 permitted icmp
> 220.127.116.11 (Fddi6/0 0060.7017.a188) -> 18.104.22.168 (0/0), 1 packet
I'm pretty sure this is a new feature. Wow. Useful. That's exactly
what I wanted. Given you are doing this I take it it's in 11.1.11CA1.
> Hope I haven't overlooked something obvious here .. but I'm sure that
> if a did someone will "enlighten" me ;-) Of course, the one obvious
> thing I didn't mention is that if everyone were to deploy ingress
> filtering, this would be much, much easier to control.
The other nice solution would be an inverse traceroute that went
back to each router in turn, passing it a bit of BPF saying "where
are you getting packets like this from please?". If such a protocol
existed, this would allow trace back to source (or at least trace
back to the point where the protocol wasn't supported) which would
automate most of the tracking and reduce the need to persuade
NOCs to cooperate. There are obviously security concerns in allowing
3rd parties to remotely apply packet tracking in your network, but
I'm sure with a cold flannel applied to forehead these could be
worked through. RFC time anyone?
More information about the NANOG